Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to episode 24. This week's a little bit different than normal. Rather than having a guest, there's actually been a lot of security news over the last few weeks. So we're just going to cover essentially just the news. Also this week, it's just Sarah and myself. Gladys is crazy busy and Mark is taking a well-earned break.
So Sarah, why don't you take it away? Hi everyone. So I've got nice selection of news this week. It's some of my favorite things. I have some AKS, some ASC, and of course my baby is some Sentinel and Azure Monitor. So starting with AKS, now confidential computing nodes are available on AKS. They've gone GA. So they have been in preview before, but now they're GA, which means they have an SLA. We know that quite a few customers don't want to use things in production until they go GA.
So what that means is, AKS is now supporting Enclave Aware Containers, that are programmed for the TEE or Trusted Execution Environment, which is very cool. So if you need to do some processing within an Enclave for something very confidential, you can now do that in AKS, which is cool. Next couple of things again, AKS is that AKS is now supporting just-in-time access for tasks that require elevated permissions.
So just-in-time or JIT, you might be familiar with that because it's something that we have in ASC at the moment. Oh, beg your pardon, not ASC now. That part, JIT is actually an Azure Defender. Basically what it means is, if a task in AKS that requires elevated permissions, you can temporarily grant that user account, those permissions to be able to do that.
So that user account doesn't have to run all the time with those elevated permissions, which of course can increase the risk profile of that particular account. So really good to see that that is now also part of AKS as well. Another AKS one for you, AKS is now supporting a new Azure policy that allows that makes sure that OS and data grids are encrypted using customer managed keys.
That means that now we can actually create a policy that will audit whether or not customer managed keys are being used or not. It means that if someone tries to create resources without customer managed keys, if you put this policy in place, it would and you put it in enforcing, you'd actually be able to deny that.
That is something that can be very important for some of our customers, particularly those who work in very highly regulated environments where they're not able to use the Microsoft provided keys. So great to see that that support has also come into AKS. Then last but not least for my AKS updates, conditional access within AKS has now gone GA. So conditional access is an Azure AD feature. What it does is it will look at the characteristics of a log on.
If that log on is unusual or anomalous in some way, so it might be that's come from a different country, it might be from a device that you've never logged into. You as an organization are able to set policies, because Azure AD will give that log in a risk rating, it will be low, medium, or high, and then in conditional access, you can configure what you want to happen. So if it's a red, if it's a high risk login, you might want to block them or you might want to make them re-authenticate.
There's quite a lot of options and I won't digress into what you can do there. But now that's also available in AKS, which is great because it means that if someone logs into AKS, which is that Azure AD considers to be anomalous or unusual, you can use your conditional access controls on AKS as well, which is very cool. So moving on to ASC, just talk a little bit about some of the things that have gone GA in ASC this month.
We've had the new security alerts page has now gone GA, you may have already seen the preview of that. The Kubernetes workload protection recommendations, so the recommendations around how you configure your Kubernetes workloads, that's also GA. You see, we never get away from Kubernetes, it's too cool. We've also got the SQL data classification recommendation doesn't affect your secure score. So that's great because there are some customers that can't change that or can't use it.
So this will no longer bring down your secure score. Then a couple of preview updates this month. We've got the Defender for Endpoint integration with Azure Defender, is now supporting Windows Server 2019 and Windows 10 Virtual Desktop. They are two platforms, of course, that a lot of you will be using. A lot of people have gone to Windows Virtual Desktop since last year because of COVID. So really good to see that there's more integration there as well.
You'll also be able to trigger workflow automations with changes to regulatory compliance assessments. So if your regulatory compliance assessment changes, if it goes up or if it goes down, you'll be able to trigger a workflow to maybe to possibly remediate that or alert someone. Whatever you need to do, there's a lot of options with workflows. Moving on to Azure Monitor. We also have Azure Monitor alerts for Azure Backup is now in public preview.
So that means that it's all helping us getting towards users having a consistent experience for alert management across different Azure services. So that means now that you can route your alerts to any notification channel that's supported by Azure Monitor, so email, ITSM, webhooks, etc. So that means, of course, that if you need to configure some monitoring alert for Azure Backup, you can now do that which is very good because of course, Azure Backup itself is very important.
Then I'm going to talk about what's going on with Sentinel because Sentinel is my favorite, and I couldn't, of course, do a podcast without at least talking about Sentinel and containers and Kubernetes. So let's talk about what we announced for Sentinel. We actually announced that we're now doing a sync with Microsoft 365 Defender. So you can now sync your incidents between Microsoft 365 Defender and Sentinel.
So what that means is if you update your incident in one of those products, it's going to update in the other one as well, which means you don't have to keep popping between the tools, which is really nice. It also means that it quite seamlessly will let you hop back into the other platform. So if you need to do some evidence collection or maybe a bit of a deeper investigation in Defender from Sentinel, you're just going to be able to click and it will take you back to that portal.
So I'm not saying that you're not going to have to do perhaps a little bit of moving between the portals. That's not realistic, but we're really reducing it and making that integration much nicer. We've also just released 30 new data collectors. Not going to name them all. There is a full list to them. We'll put them in the show notes. But now we're almost at 100 built-in connectors. We're at 90 something, which makes me sad, I was hoping we'd hit 100.
We will do very soon, but we're always adding those really common, the most requested connectors from customers. We always want to hear feedback on that by the way. So please go to user voice or hit up your local account team and tell us what connectors you want if you don't already see the one you want. We're also going to be doing improvements to automation. So we're going to be changing up the playbooks in the automation page.
What that means is you're going to be able to create automation rules, which will simplify the automation of common incident response actions. So what that means is you'll be able to create maybe a change of severity, close an incident, do some straightforward easy bits of automation. You'll be able to do them in the UI of Sentinel without having to create a whole logic app. So again, just trying to make things really, really easy. Then last but not least, Notebooks has now gone GA for Sentinel.
So if you're not familiar with Notebooks, Jupyter Notebooks is a way of doing, writing your own machine learning models in Python, R, F-sharp. There's a number of different languages that it supports, and now that is GA. So if you've got data scientists in your organization, you should definitely get them to come and do some notebook work with you, because it's a very cool thing. Essentially, security operations and security monitoring is big data and data science.
It's looking for patterns and anomalies just with a security focus. So we're going to be seeing, I'm very confident we will be seeing more and more of that as time goes on. So go and have a play around and see what you think. There are several Notebooks created by Microsoft in there to get you started, and see what you think. So a whole bunch of items really caught my interest over the last few weeks. The first is a website we've set up for Microsoft Learn for Security Compliance and Identity.
This is going to be a one-stop shopping for learning more about funny left security compliance and identity on the Microsoft Cloud Platform. So as we've already mentioned, there will be links in the show notes. So heading over there, some of these videos that are available in Microsoft Learn have come from the Microsoft Ignite sessions. This is our virtual conference that we have, and this is where a lot of the information actually came out for the last couple of weeks around security news.
Next one is, as you trusted launch for virtual machines, this is now in public preview. Essentially, what this allows you to do is use a virtual trusted platform module, a VTPM. If you're familiar with a TPM that is required on Windows laptops, for example, it's a similar idea as that, except obviously it's virtualized because the machines themselves are also virtualized.
This essentially gives you the ability to have a trusted boot when virtual machines come up, which is also another really good example of a tool that is using the attestation service that's available in Azure, which I talked about a couple of weeks ago. Next one is Azure Sphere, 21.02 is now available. This is an OS upgrade as well as an SDK upgrade. So if you're not familiar with Azure Sphere, especially a chip set that can be used for deploying secure IoT devices.
So some of the major changes that we see in that upgrade are some fixes to some vulnerabilities. Basically Linux kernel vulnerabilities for those not aware Azure Sphere is basically a small version of the Linux kernel running inside of a trusted piece of hardware. We also now have available in public preview the ability to provide automatic patching on Linux VMs. This is huge. We've historically had this available on Windows VMs.
So we can apply security patches and any patches that are marked as critical automatically. This is done obviously during off-peak hours, but that's now available in public preview for you to experiment with. This next one really caught my attention. This is Azure SQL Auditing is now available in general availability for streaming auditing events to log analytics and event hubs. All right. This requires a little bit of explanation.
So Azure SQL as you probably are well aware is a version of SQL Server that's available as a platform as a service offering inside of Azure. With that, there are obviously events and alerts and so on that happen on the Azure space. But what about SQL Server events? SQL Server has been around for a long time. It produces a lot of internal events that are very SQL Server specific.
Well, historically, they had their own file structure that were essentially buried deep inside the bowels of SQL Server. Well, now you can actually take those auditing events and actually stream them out through log analytics and event hubs. This to me is absolutely a godsend, I think for admins who are looking at administering SQL Servers Azure SQL databases on Azure. This also applies to Azure Synapse Analytics.
Because now you don't have to go into the bowels of SQL Server, you can essentially just feed the data out automatically into log analytics. This is an absolutely huge announcement from Ignite. Next one is on the SQL Server theme, Advanced Notifications for Azure SQL Database is now in public preview. What that is is if we know we're going to have to shut down your SQL Server instance for whatever reason, or do some rolling updates, that kind of thing.
Obviously, we design these systems in such a way that there's as little impact as possible on you. But now we can give you 24 hours notice. Again, this is huge for people who need to have advanced notification of this. We can do it through various notification methods such as email, SMS. We can do an Azure app push, and we also have support for additional actions, such as triggering, say, an Azure Function, a Logic App, or a WebHook.
Again, for certain customers, this is huge because we're going to let you know that, hey, we need to take this thing offline to do some maintenance. This next one also really caught my eye. Some weeks ago, we had some of the folks from the Cosmos DB team, and we now have a role-based access control using Azure Active Directory in Cosmos DB, and this is now in public preview. We've always had our back controls and Azure Active Directory support at the control plane.
People who are managing the environment, that's perfectly normal. That's essentially there for virtually every single Azure service that we have. But what we're talking about here is actually at the data plane. People who are using the system, historically Cosmos DB used essentially tokens or keys or whatever you want to call them. But basically an ID and you could either have read access or read-write access.
Well, now we can provide granular access at the data plane with our back controls role-based access control using Azure Active Directory identities. I would say that this is probably, from my perspective, probably the biggest announcement out of Ignite. Followed very closely by the SQL Server announcements I mentioned earlier about being able to pull the SQL Server logs into Event Hubs and Stream and Log Analytics.
Next one, again, continuing the SQL Server theme, is we now have the ability to audit Microsoft operations against Azure SQL. What that means is let's say there's a support call that you raise and you need someone to go in and look at an Azure SQL instance. Well, that may happen over a period of time. Sometimes you may want to know actually what was done by Microsoft support personnel. Well, now you can get that information.
So this is generally available, it's just an option that you can turn on inside of the Azure SQL instance. But again, the nice thing is this applies to Azure SQL. It also applies to Azure Synapse and it applies to SQL managed instance. Again, when our Microsoft personnel go in and have to secure support operations on your instances, that information is logged for you to analyze and look at later. Another big one is zone redundant storage for Azure managed disks.
This is pretty cool because what this means is the historically managed disks are used for, I mean, amongst other things, but virtual machines. Now what you can do is you can say, okay, for this particular instance, I want zone redundant storage.
So what that means is if there is a catastrophe, say a tornado or something, it completely takes out a data center with zone redundant storage, the virtual machine image is essentially well zone redundant, which means that if that zone is taken out, there is still an instance of that particular image that is stored in a different geographical area. So if one zone is taken out, then the VMs are still available.
Talking of managed disks, another topic here is automatic key rotation of customer managed keys for encrypting Azure managed disks is now in public preview. This does have some limitations. Most notably, you must be using a premier SKU of Azure Key Vault. What that means is you're not using the version that uses just software backkeys, you're using the version of Azure Key Vault that has hardware backkeys. So that must be in there.
Also, there's some limitations as to the ciphers that you can use. But basically, this allows you to automatically rotate keys on a regular basis so that you don't have to. This is often required for compliance requirements. Not directly as you related, but Windows Server 2022 is now available in preview. This provides a lot of new security features, including but certainly not limited to secure core server, which brings even more threat protection to the environment.
We also have TLS 1.3 enabled by default. That's a welcome addition. A lot of people have been wanting that in Windows, as well as some changes to SMB to support more improved security protocols. So basically, this is a version of Windows that takes into consideration the increases that we've seen over the last few years around cyber security threats and the impact of those incidents and the fact that they escalate so quickly.
So Windows Server 2022 is certainly worth kicking the tires on in terms of some of the new security technology. This is another one that sort of took my eye as well. Apparently, this has been available for some time. I just didn't realize. There is a blade called the demo logs blade inside of Azure.
Everyone has access to it, which allows you to experiment with, say, the Custo query language to actually go in and play around with essentially a large volume of data, security and audit data, security sensor data, VM monitoring, active directory health checks, network performance monitoring, and so on. So this is available inside of your subscription. Technically, it isn't part of your subscription. You just have access to it. But you can go ahead and do really complex queries.
If you want to have an area that's using not your data, but it's still a large population of potentially real-world data, then this is the place to go. So it's called the demo logs blade. And as I alluded to at the very beginning, there will be links to this in the show notes. So now, the news for me is complete without me talking about TypeScript, as probably many of you know by now. I'm not a fan of JavaScript. Not a fan of JavaScript at all.
In fact, a lot of people I know who use JavaScript on large projects where they've got to maintain a massive code base. Yeah, it's not fun trying to maintain that code base in JavaScript. And TypeScript is designed to help alleviate a lot of those issues. And from a security and correctness perspective, one of its major advantages over JavaScript is strongly typed. And that alone helps you make more resilient software from the get go.
As some of you may be aware, essentially TypeScript is transpiled. In other words, it's cross-compiled into JavaScript. Visual Studio Code has built-in support for TypeScript. It's got a plugin that you can add. It gives you first-class support for TypeScript. Well, now we have available the new TypeScript handbook. If you are new to TypeScript or you want to dip your toes into TypeScript, you really need to lay your hands on this. It's a free download.
It's available in PDF format, just as a web page. And also in EPUB format, so you can load it onto your Kindle. But the thing I love about this is it's not like a really technical document that explains the syntax of the language and so on. It's more of, hey, so here's TypeScript. Now what do you do? How do you do this? What sort of tasks do you do? Here's some common issues that we face. And here's how you solve them in TypeScript. So this is an absolutely fantastic document.
It teaches incrementally. It uses the compiler a great deal to explain what's going on. And it's really written for the everyday person out there. This is not something that is designed for people who are compiler experts. This is an absolutely fantastic document. And it certainly fills a lot of the gaps in my knowledge. So well worth a read.
Well, and in fact, if you're a shop who's using a lot of JavaScript and all the headaches that come from maintaining a loosely typed language, as well as a myriad of other sins, well worth dipping your toes into TypeScript. This is another one that really caught my eye. I just realized I probably said this for absolutely every single news item. Azure Defender for Storage is now powered by Microsoft Threat Intelligence.
So what this is, so we've had my, so Azure Defender is a suite of products, right? So there's Azure Defender for identity. There's Azure Defender for storage. There's Azure Defender for SQL. And there's many others. And these are all very, very specific versions of Azure Defender that can feed up to tools like Azure Security Center with, hey, this particular setting is incorrect, or this looks anomalous and so on.
Well, now what we're doing with Azure Defender for storage is we're taking a lot of the internal threat intelligence that we have at Microsoft, and using that to drive telemetry out of your storage accounts. So we may find that some combination of, perhaps an IP address, some time and some type of content may find its way into one of your storage accounts. And then we may decide that that's potentially nefarious.
By themselves, they may not seem overly nefarious, but once you add sort of all three of them together, then it becomes a potentially nefarious event. So this is another really cool technology. This is a great example of just leveraging the internal data that we have around threat intelligence, but for your storage accounts. So another fantastic, this is probably another one of the really big announcements that really took my interest this week. We now have the ability in Azure Purview.
So Azure Purview is a relatively new tool. I think it was announced, I think December last year, December 2020. It's a tool that is based on Apache Atlas. The best way of describing it is it's like a unified data governments tool. It helps you manage and govern your on-prem data, your cloud data, whether it's in Azure, whether it's in AWS, for example, as well as your SQL databases. It really is a holistic up-to-date map of all your data in the environment.
It also includes things like sensitive data classification and the whole sort of end-to-end data lineage. So a really fantastic tool. Well, one of the features that we just added just recently is a connector for Amazon S3 buckets. So we include support for many sources of data, including blob storage, Cosmos DB, say data explorer, data like storage Gen1 and Gen2, Azure SQL, Azure Synapse, on-premises SQL Server Oracle, Power BI, Teradata, a couple of SAP instances.
But now I've added Amazon S3 and I know for sure that this is something that a lot of customers have been asking for, so it's great to see that. And that wraps up the news on my end. Well, thanks everyone for listening. I realized this week was a little bit different. It was all news focused. Again, a lot of this was driven out of the Microsoft Ignite virtual conference.
In a couple of weeks' time, we'll be back to sort of our regular schedule programs where we'll have a guest and we'll be covering a specific topic in Azure from a security standpoint. So again, thank you so much for listening. Stay safe out there and we'll see you next time.